From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RsOXo-0002wH-TH for garchives@archives.gentoo.org; Wed, 01 Feb 2012 00:59:29 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C6E5BE07EE; Wed, 1 Feb 2012 00:59:13 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 276EBE07DB for ; Wed, 1 Feb 2012 00:58:35 +0000 (UTC) Received: from [192.168.3.7] (cpe-74-77-238-39.buffalo.res.rr.com [74.77.238.39]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: blueness) by smtp.gentoo.org (Postfix) with ESMTPSA id 728281B401F for ; Wed, 1 Feb 2012 00:58:34 +0000 (UTC) Message-ID: <4F288E38.3040802@gentoo.org> Date: Tue, 31 Jan 2012 19:58:32 -0500 From: "Anthony G. Basile" User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20120114 Thunderbird/9.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Can we get PIE on all SUID binaries by default, por favor? References: <201201271912.35560.vapier@gentoo.org> <4F23E993.5050701@gentoo.org> <201201291414.27968.vapier@gentoo.org> In-Reply-To: <201201291414.27968.vapier@gentoo.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: bc86ed9e-e6cd-4957-982f-c748e16d3b86 X-Archives-Hash: e54362636e33a24cf090fce52d52fbae On 01/29/2012 02:14 PM, Mike Frysinger wrote: > On Saturday 28 January 2012 07:26:59 Anthony G. Basile wrote: >> I've run nbench on two amd64 systems both running the same kernel >> vanilla-3.2.2. > i don't think nbench is a good benchmark for this as it isn't really testing > what you think it's testing. it's very good at validating math support in the > ISA/ABI, optimized compiler output, and supplementary math implementations in > libgcc. PIE vs non-PIE will still be able to multiply/divide in pretty much > the same amount of time. I know, but the problem is, what benchmark best approximates common every day use? So I wrote the following which really hits the problem hard on x86: int modfac(int n) { if(n==0) return 1; return n * modfac(n-1); } int main() { int i; for( i = 0 ; i < 4096*4096 ; i++ ) modfac(4096); return 0; } Using vanilla kernel 3.2.2, userland built with vanilla toolchain, gcc-4.5.3-r1, glibc-2.13-r4, binutils-2.21.1-r1, compiling my code simply as gcc -o test modfac.c, CFLAGS="-O2 -march=i686 -pipe" I get: time -p ./test real 327.89 user 327.72 sys 0.00 Keep everything else the same, even the same hardware, but switch to userland built with hardened gcc-4.5.3-r2 (not -r1 because of the bus error), I get: time -p ./test real 629.68 user 629.37 sys 0.00 The hardware is 8 x "Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz" with 12 GB ram. That's nearly a factor of 2x but how often does one set up 4k stack frames in everyday use? >> So at least on amd64, I don't think that performance is ever an issue. > yes, most likely on systems where the PIC has hardware support in the ISA, the > performance hit on PIE is typically low. > >> I have yet to look at x86. > pretty sure this is going to be much more palpable. > -mike -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail : blueness@gentoo.org GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 GnuPG ID : D0455535